Newsletters
The Enterprise Security Supersite NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
Home Network Security Viruses & Malware Cybercrime Security Solutions More Topics...
Eliminate costly downtime!
Find out how with Free White Paper
& enter to win a Samsung Galaxy Note

www.apc.com
Mobile Security
Tame your scariest paperwork. Find Out How
Average Rating:
Rate this article:  
Android Master Key Vulnerability Exploited in Two Apps
Android Master Key Vulnerability Exploited in Two Apps

By Seth Fitzgerald
July 24, 2013 10:39AM

Bookmark and Share
When Symantec first wrote about the Android "master key" flaw, which was identified by startup Bluebox Security, Google automatically released a patch to protect devices. While the patch protects Nexus devices, manufacturers still have to push out updates to non-Nexus phones, which could take months.
 


Symantec researchers say the first known use of the Android "master key" vulnerability has been found in the wild. Two applications distributed on unofficial Android marketplaces in China were found to be using the exploit.

When Symantec's team first discussed the vulnerability earlier this month, which was identified by startup Bluebox Security, they said they expected attackers to exploit it quickly because of its ease-of-use. They appear to have been right on the mark.

The two applications discovered in the marketplace were legitimate apps which are meant to help people find and make doctor appointments, however an attacker seems to have added code to the apps in order to make them exploit the Android master key vulnerability.

The Exploit

Both of the previously legitimate applications have been infected with additional code which allows the hacker to remotely control devices, access data, send premium SMS messages, and disable security features.

By using this vulnerability, the hacker modified the applications by adding a new classes.dex file which contains the code, as well as a new manifest file which specifies permissions.

The attackers ability to send out premium texts is one of the most concerning aspects of the exploit. Each premium text that is sent out because of this code will incur a charge, although all of the fees will be directed to the attacker and not to the carrier.

Difficulty Updating

When Symantec first announced that they had discovered this type of flaw, Google automatically released a patch which would protect devices. Even though the patch prevents Nexus devices against attacks, manufacturers still have to push out updates with the patch to non-Nexus phones.

The process of sending out updates can sometimes take months, no matter how important the update is to a device. Millions of Android devices either never receive updates or they receive very few updates, resulting in continuous vulnerabilities to many different attacks.

This type of delay has been one of the major criticisms of Android especially recently, and has resulted in many people praising Apple because of how fast and easily it is able to push out security updates to all of their devices.

Many users are now demanding that carriers and phone manufacturers find a new way of receiving and pushing out important security-based updates. Although design changes require a lot of custom tailoring to individual phones, security updates should take far less time to distribute.

Protecting Your Device

Since it could take months for a security update to be implement on all Android phones, there are a few ways to protect your device from attacks like this one.

Simply downloading Norton Security antivirus should keep any infected applications from harming your device. Another alternative is the Bluebox Security Scanner, which should also provide the necessary protection.

Users with a Nexus or Samsung device will have already had the patch sent out to their phone, but taking these precautions is important for users with any other type of device.
 

Tell Us What You Think
Comment:

Name:



Neustar, Inc. (NYSE: NSR) is a trusted, neutral provider of real-time information and analysis to the Internet, telecommunications, information services, financial services, retail, media and advertising sectors. Neustar applies its advanced, secure technologies in location, identification, and evaluation to help its customers promote and protect their businesses. More information is available at www.neustar.biz.


 Mobile Security
1.   Data Recovered from 'Wiped' Phones
2.   Anti-Spying Blackphone Starts Shipping
3.   Android, Win Phone To Get Kill Switch
4.   Report: Spyware on Chinese Phone
5.   BlackBerry BBM Boosts Security


advertisement
Data Recovered from 'Wiped' Phones
Android 'factory reset' is inadequate.
Average Rating:
Anti-Spying Blackphone Starts Shipping
Development result of NSA revelations.
Average Rating:


advertisement
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Wall Street Journal Hacked Again
Hacked again. That’s the story at the Wall Street Journal this week as the newspaper reports that the computer systems housing some of its news graphics were breached. Customers not affected -- yet.
 
Dropbox for Business Beefs Up Security
Dropbox is upping its game for business users. The cloud-based storage and sharing company has rolled out new security, search and other features to boost its appeal for businesses.
 
34 European Banks Hit by Android-Skirting Malware
Criminals have been finding gaping holes in Android-based two-factor authentication systems that banks around the world are using. The result: 34 banks in four European countries have been hit.
 
New Web Tracking Technologies Defeat Privacy Protections
Recently developed Web tracking tools are able to circumvent even the best privacy defenses, according to a new study by researchers at Princeton and the University of Leuven in Belgium.
 
Juniper DDoS Solution Aims at High-IQ Networks
In the face of more complex attacks, Juniper Networks is boosting its DDoS Secure solution to help companies mitigate the threats with more effective security intelligence throughout the network fabric.
 
Large-Volume DDoS Attacks Hit Record in 2014
The number of distributed denial-of-service (DDoS) attacks set a record in the first half of 2014, according to a report by Arbor Networks. The number of attacks over 20 GB/sec doubled.
 
Can Google Put an End to Zero Day Flaws?
Google wants the Internet-using world to know that security is a top priority. That’s the message behind Project Zero, a team of researchers on the prowl for cyber threats and bugs.
 
U.N.: Nations Hide Rise in Private Digital Snooping
Governments on every continent are hiding an increasing reliance on private companies to snoop on citizens' digital lives, the U.N. human rights office says, with grave concerns about privacy.
 
Google Sends Hacker Team to Hunt Bugs
If it takes a thief to catch a thief, Google is hoping that it takes a hacker to catch a hacker. Project Zero is a team of top security researchers whose job is to track down zero-day vulnerabilities.
 
Russian Hackers Attack CNET Database
It’s hardly Anonymous, but the results are similar. CNET was attacked by Russian hackers over the weekend. Twitter user @rev-priv8 put up an image of an apparent remote access to a CNET.com server.
 
FBI Cyber-Expert Is Ex-Discount Furniture Salesman
J. Keith Mularski's world has expanded greatly since he stopped selling discount furniture to join the FBI in 1998. He is now recognized as one of the country's foremost experts on cybercrime.
 
Chinese Man Accused of Hacking into U.S. Computers
Authorities have charged a Chinese businessman with hacking into the computer systems of U.S. companies with large defense contracts, including Boeing, to steal data on military projects.
 
Report: Chinese Hackers Hit U.S. Personnel Networks
Hackers from China broke into the computer networks of the U.S. Office of Personnel Management earlier this year with the intention of accessing the files of tens of thousands of federal employees.
 

Enterprise Hardware Spotlight
Microsoft Makes Design Central to Its Future
Over the last four years, Microsoft has doubled the number of designers it employs, putting a priority on fashioning devices that work around people's lives -- and that are attractive and cool.
 
Contrary to Report, Lenovo's Staying in Small Windows Tablets
Device maker Lenovo has clarified a report that indicated it is getting out of the small Windows tablet business -- as in the ThinkPad 8 and the 8-inch Miix 2. But the firm said it is not exiting that market.
 
Seagate Unveils Networked Drives for Small Businesses
Seagate is out with five new networked attached storage products aimed at small businesses. The drives are for companies with up to 50 workers, and range in capacity from two to 20 terabytes.
 
Another Day, Another Internet of Things Consortium Is Born
In the emerging Internet of Things, zillions of devices will be talking to each other. Samsung, Intel and Dell just formed a consortium to ensure each thing can understand what others are saying.
 
Gartner Sales Study Sees Tablets Up, PCs Down but Recovering
Are PCs on the comeback trail? That depends on how you define "comeback." While tablet sales remain strong, Gartner's latest study found PC shipments aren't dropping as fast as they did last year.
 
Oracle Unveils Upgrades to ZS3 Storage Server Line
Enhancements to the ZFS Storage ZS3 Series were released by Oracle Wednesday, enabling the ZS3-2 to handle more than 16,000 virtual machine boots from a single platform in less than 7 minutes.
 
Intel Heralds New Xeon Server Chip, Most Powerful Ever
It’s called Knights Landing and it’s the most powerful version of Intel’s Xeon Phi supercomputing processor. The chip is set to be available in commerical systems in the second half of 2015.
 
Review: Warming Up to Tablets with Keyboard Covers
If you've ever thought tablets with keyboard covers were just a poor excuse for a laptop, think again. Nokia's Lumia 2520 comes with an optional keyboard cover that just may change your mind.
 
Facebook Unveils Wedge Open-Source Network Switch
It turns out Facebook is into networking that is more than just social, unveiling an open-source, software-defined networking switch that could ultimately disrupt the networking equipment market.
 
Review: Microsoft Surface Pro 3 an iPad Alternative
When Microsoft announced the Surface, the tablet was unsuccessfully pitched as an iPad alternative. Now it's being marketed to consumers as a replacement for both their iPads and MacBooks.
 
Schneider Electric Unveils Data Center Power Modules
New modules for data center electricity needs are being offered by Schneider Electric. The company described the new prefabricated approach as "revolutionary" in its flexibility and customization.
 
Broadcom Unveils XLP500 Series with SDN in Mind
With so much focus on software-defined networks, Broadcom is expanding its XLP II multi-core communications processors line to meet evolving industry needs with the XLP500 Series.
 
Best of Interop 2014 Finalists Announced
Judges have chosen finalists for this year's Best of Interop awards, with winners to be named April 1 in Las Vegas. The nine categories include networking, mobility, security, cloud and data storage.
 
Cisco Telecom Router Ready for Internet Traffic Flood
The Carrier Routing System-X unveiled by Cisco for the telecom industry is a 400 Gbps per slot system that can be expanded to nearly 1 petabit per second, enough to deal with the coming flood in demand.
 
Interop: Networking Leaders Demo Shortest Path Bridging
Avaya, Alcatel-Lucent, Spirent and HP are teaming to endorse Shortest Path Bridging for fabric networking, and they're demonstrating their multi-vendor network for the first time at Interop Las Vegas.
 

Navigation
Enterprise Security Today
Home/Top News | Network Security | Viruses & Malware | Cybercrime | Security Solutions | Mobile Security | Disaster Recovery | Windows Security
Data Security | EST Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.